For our IAM Insight Jam, we asked identity experts from around the globe to share predictions for identity management in 2020. Originally, we planned on posting all of their comments and predictions for identity management in 2020 on Twitter under the hashtag #IAMInsightJam. However, we faced two unique challenges:
- We received so many more predictions than we could have ever hoped.
- Often, the predictions we received went into profound depth and detail.
Admittedly, these challenges prove the best ones to have. However, it makes posting the full predictions almost impossible for the Twitter-based event. Thankfully, we decided on perhaps the best kind of compromise. We’re going to post shortened versions of the predictions for identity management for 2020 on Twitter during the Jam. As we post, we plan to continually update this article with each experts’ full prediction. Thus, you get the best of both worlds for this first-ever Jam.
Without further ado, here we present our identity experts’ thoughts on identity management in 2020. While your reading, feel free to check out our 2020 Identity Management Buyer’s Guide.
Experts Share Their Predictions for Identity Management in 2020
VP of Product, Wandera
Context Will Become King When it Comes to Authentication
As the drive toward a passwordless future continues, access will be determined by context – where you are logging in, what time, and from what device. This shift in authentication will change the need for passwords. While the methods of authentication will likely continue to move toward a superior biometrics-based approach, the most important authentication factor will become the context in which users are looking to gain access. Soon, opening different apps will not only rely on facial recognition or your fingerprint, but where you are, the network you’re connected to, the country you’re working from. In 2020, context will be king in the world of authentication.
Chief Strategy Officer, JumpCloud
IAM Technologies will continue to converge
We have seen the identity and access market ‘sea’ of vendors perpetuate best of breed/point solutions that when integrated, solve a greater ‘mesh’ of access control and governance needs. The market will continue to contract while vendors strive towards workbenches/platforms to provide wider coverage. This will be especially pronounced in the SME, where budgets are more constrained.
Zero Trust is forcing a rethink in least privileged approaches to resource access
The ‘domain’ is no longer defined by brick and mortar locations, in addition to reducing access to ensure least-privilege is the defacto. With remote operations now a reality, the perimeter needs to be defined wherever the internet can reach and demands a robust amount of user self-service. This will be achieved by automation and remote-based policy controls that will leverage security-first principles to gate initial access, then roles the user can play when accessing versus an assumption of complete lockdown.
The richness of user identity information stored will trigger key IAM processes
IAM solutions will be required to expand the information set currently stored about a user. This is not to be confused with PII, but rather data points that inform a user’s role, department, location and very specific elements about their means of access (e.g. the systems they are accessing resources from) for security policies to do their job in providing real-time access to resources.
The device matters deeply in the relationship to IAM
Zero Trust is forcing IT and security teams to understand that a neat ‘domain’ of tethered workstations is no longer a reality. Disparity of OSs (beyond Windows), and the fact that solutions like Microsoft’s Active Directory is often not in play in modern organizations (especially within the SME), requires a very special set of technologies and management to secure access to the devices that are the gateway to accessing corporate resources (wherever those resources live…in the cloud or on-premise).
The risk associated with phishing attacks will be the security executive’s top concern in 2020. A year ago, companies were all talking about malware. Phishing attacks are becoming more sophisticated and even professionals can’t detect all of them. There is a real need for technologies that can detect and block this kind of attack, especially when sent via email. The urgency to detect threats at first sight (from the moment they are released) and eliminating the time window which poses a high-risk level will rise.
The timeframe in which attacks have the most devastating impact on their victims is from the moment they are released and until they are detected by a security solution. Since it takes a few hours (or more) for even the most sophisticated security solution to detect a new never-before-seen attack, the risk within the first few hours is huge. Organizations and security professionals need to acknowledge this and are expected to see it as a key challenge.
Chief Security Scientist, Thycotic
“In 2019, we saw more of the same — privileged accounts are still the No. 1 target of cybercriminals, making identity and access management the top issue in cybersecurity. One of the best practices for protecting organizations’ data and systems has been the zero-trust model, using micro-segmentation to isolate data, deployments and workloads, and protect them individually. However, in 2020, we should see a progression to an adaptive trust approach to adjust protections as risk fluctuates — when risk is high, security increases and when risk is low, security decreases.
Unfortunately, cybercriminals are becoming more sophisticated. As they develop new strategies and employ new technology, such as Deepfakes, we will see a response from major governments. These governing organizations will work to pass new compliance regulations and ramp up financial penalties for companies’ misuse of data. We can expect to see legislation expand to include more industries and to increase regulation over more kinds of data, such as biometrics. However, users and their organizations shouldn’t wait for new compliance rules. It is critical for users to be cautious with what data they put online and their organizations need to secure the access these users obtain.”
VP of Identity and Fraud & Risk Intelligence Products, RSA
The promise and peril of a multi-authenticator world. Despite a growing number of options, there is still no one-size-fits all solution for the varying identity and access management needs across organizations and dynamic workforces. The industry will need more buyer support and guides to assist in the decision-making process—ultimately helping organizations strike a balance between security and the user experience.
CTO, Abacus Group
- In 2020 more companies will use public clouds, not because they are ready, but because they are being forced by vendors.
- Firms that adopt public clouds in 2020 will discover new risks in customer experience and cybersecurity.
- In 2020 vendors will ramp down upkeep for legacy on-prem software and accelerate SaaS-based models.
- Public cloud users will need to focus on vendor plans for on-prem deployments or risk unexpected expenses.
CTO, Menlo Security
Blurred Lines: Corporate and Personal Identity Will Converge
With the rise of bring-your-own-device (BYOD) culture in the workplace and the access to personal accounts, corporate and personal identities have started to become one and the same. Context is a large part of redefining identity, with who you are being based on a number of factors rather than just a username and password. As we continue to shift toward using biometrics as a primary mode of authentication, even for work devices, those lines will continue to blur even further.
CEO, Evident ID
Data breaches are growing larger and more frequent, due in part to the vulnerabilities of knowledge-based verification and multi-factor authentication with SMS and email. This will eventually lead to enterprises adopting better remote identity verification solutions for account recovery processes around issuing new credentials and resetting passwords. Businesses will begin to embrace technology-driven authentication methods like authenticator apps, passwordless logins, and biometrics to ensure their account holders are protected.
This change supports the zero-trust world in which we live in, where the presentation of credentials, like a password or token, will no longer be sufficient on their own to grant access to an account with any level of assurance, and where corroborated identity must be combined with authentication to ensure both safe access and reduced fraud.
Budget and time will continue to be spent on identity verification technology and processes to support compliance with privacy legislation, as governments put increasing emphasis on data security and privacy. While adapting to powerful regulations that require organizations to leverage stronger identity verification mechanisms that produce higher levels of assurance can be challenging, this will only become more necessary in a time where cybercriminals are becoming even savvier.
Biometric fraud will become more prominent than ever before, as seen with the rise of deep fakes, which are quickly becoming more lifelike and believable. As they advance, bad actors are using deep fakes for nefarious purposes, such as stealing sensitive data and spreading misinformation. As verification technology advances in 2020, so too will the dark technologies that can outsmart it, leaving the cybersecurity industry no choice but to be proactive with constant innovation.
In today’s modern bank, fraud departments are tasked with identifying when fraud occurs and mitigating the incident. Their job is to simply detect the presence of fraudulent activity, rather than correctly identify account holders. But increasingly, privacy laws and other regulations like PSD2 in Europe are calling for organizations like banks to confirm identification, so security professionals have to look beyond the fraud solutions. In 2020, identification as we know it will become personal.
SVP of Product Management, MobileIron
The smallpox of cybersecurity – passwords – will be eradicated by 2025.
Passwords are ingrained in our society because they’ve been around for over 60 years, but this doesn’t mean it’s the safest way to secure our digital lives. Passwords are not only a hassle – they’re antiquated and open us up to even more cyber threats. Similar to how smallpox was eradicated, if we ban together, we can wipe out passwords and the onus is on the technology industry to drive security forward by eliminating them. Capabilities like zero sign-on, software and hardware tokens, behavioral analysis, and biometrics already exist that allow organizations to switch to passwordless authentication today.
IoT Marketing Manager, GlobalSign
Healthcare will continue to be a prime target for cyberattacks
The introduction of IoT connected healthcare devices, and the high value of private electronic medical record (EMR) information, creates a unique and attractive attack surface which makes it absolutely irresistible to hackers. Namely, it’s growing and it’s lucrative. Researchers and forecasters agree that the healthcare-related IoT will continue to experience rapid growth.
But more devices may lead way to more attacks. According to Health IT Security magazine, The majority of healthcare organizations, IoT manufacturers, and other organizations that leverage IoT devices have faced a cyberattack focused on IoT within the last 12 months. That includes businesses in Germany, the UK, the U.S., Japan, and China.
These attacks and their costs have everyone on high alert. Medical device manufacturers and health delivery organizations (HDOs) will be looking for ways to reduce the attack surface. They will find relief through traditional PKI-based identity platforms that provide unique device identities to authenticate users, devices, networks, and gateways. By building a network of identity and trust, manufacturers can then enable secure and connected communication.
Senior Vice President, Imperva
While IAM has a place in cybersecurity, since we all want to confirm one’s identity, the fact is that most data breaches occur from a fully authorized user account, meaning, these breaches occur post-IAM. The repeated problem we see in enterprises today is the reliance on technology at the periphery of data with little scrutiny or controls on the data itself. IAM’s gaps include malicious users, but more so careless and opportunistic users.
I predict that the trend of more enterprises recognizing the gaps that identity and general user tracking introduce will continue, as IAM and user tracking are common mainstays of cybersecurity. However, post-breach, the shift to models where user and data tracking intersect will continue to rise, as questions around data access continue to confound security teams.
Post-breach questions like: “We know ‘John’ logged in, and we know it was ‘John’. Did he take any data? How much did he take? How did he take it? Where did it go?”
Knowing “John” logged in, and confirming it was John, does little to answer the questions regulators, business leaders, and law enforcement agencies ask.
President and Chief Security Officer, HighSide
Cloud services (IaaS, PaaS, SaaS) will make managing identities more and more important (and increasingly difficult without appropriate tools). Identity will be the last perimeter IT security teams can hope to have, and as has been proven with this year’s Capital One / AWS breach, even the best-resourced teams will have an occasional lapse in operational implementation of identity policies and controls.
Yaron Kassner, Ph.D.
Co-Founder and CTO, Silverfort
As enterprises are moving to the cloud, cloud-based authentication and IAM solutions will be needed to ensure secure access to migrated systems. We will also see wider adoption of identity-based zero trust solutions as securing access of anything-to-anything becomes a priority, within internal corporate networks and across corporate cloud environments.
VP of Marketing, ID R&D
We’re getting close to finally achieving the strong authentication necessary for the complex digital identities of today. The industry is moving, rightly, away from using solely knowledge-based or device-based authentication, and toward a combination of methods that are not only independent of each other, but that also “positively identify” users. That is to say, all organizations are moving toward recognizing that a user, Jane Doe, is actually logging in vs. recognizing that someone with Jane Doe’s credentials is logging in. Shifting authentication to being identity-focused, instead of access-focused, is better for everybody.
As fraudsters increasingly use AI to breach users’ digital identity, collaboration across the industry will become even more important. Efforts like the DeepFake Detection Challenge, a project that’s attracted Facebook, Amazon, and Microsoft as well as tech startups and university teams, or global challenges like ASVspoof, exemplify the kind of industry cooperation that will best prepare all of us for the future of protecting digital identity.
Today’s consumers expect their interactions with brands will be both fast and easy. Security is the point of friction that often leaves customers feeling frustrated, or worse, leads them to abandonment. Savvy businesses realize that authentication isn’t just a security issue, but also a customer experience imperative and are looking at solutions that can deliver on both points.
Chief Fraud Prevention Officer, Nuance Communications
As consumers react to the growing number of data breaches and demand better protection from the companies with whom they do business, they will also start to take matters into their own hands.
While using multi-factor authentication for all accounts (whether a mobile app, website, call center or other customer service channel) for secure authentication has long been a best practice, consumers will begin using a password in conjunction with another authentication technique to help protect their data and devices when available.
This means opting for biometrics—such as voice recognition, fingerprint, face scanning, etc.—when it is available. Facial recognition and fingerprint ID on smartphones and other devices have paved the way for making consumers comfortable and accustomed to biometric identification. Biometrics—from voice to behavior and other forms of biometrics technologies—are a natural extension, and convenient for companies to adopt because they don’t have to redesign physical systems or devices.
CEO, Identity Automation
A “just in time” approach to access will expand beyond the traditional scope of privileged access as organizations look for ways to get more granular with access controls and eliminate unnecessary standing access.
Identity will become the new perimeter, as traditional security boundaries have expanded to incorporate a plethora of user types, endpoint devices, and internal and external resources. Ensuring security will come down to effectively managing user identities and the access they are granted.
The Bring Your Own Identity or BYOI will transition from trend to common practice, shaking-up existing approaches to identity and access management. Instead of creating a new digital identity, more and more users will opt for the convenience of simply selecting to use an existing identity, such as Google, Facebook, or Apple to access digital services.
Chief Security Officer, Keyfactor
Connectivity will continue to drive security identity and access management challenges, like breaches and systems outages in 2020. Companies have long looked at identity within their organization as an individual or a person, but it’s so much more than that, spanning devices and applications. The massive rise in the number of these connected identities and the juggling act required to manage the risk they introduce has created an exposure epidemic at the enterprise level. Expect to see enterprise IT teams embrace IAM orchestration tools that will help them streamline and automate manual identity management processes and have the ability to plug into their security management tools.
Over the next few years, we’re going to see the adoption of more biometric-based consumer authentication technologies. There are going to be more movements toward leveraging rich biometrics for convenience, which will leverage significantly more and better sensors (iris scanning, body posture, etc.) in end user-facing devices. Further, advanced machine learning models will allow for better context-based authentication assessments and improve the authentication process, like geofencing and device biometric sensors. All of this will come hand-in-hand with increasing awareness around privacy.
How to Learn More About Identity Management in 2020
Thanks to all of our experts for their predictions and their participation in the IAM Insight Jam! Check out our Identity Management Buyer’s Guide for 2020! We cover the top providers and their key capabilities.
Latest posts by Ben Canner (see all)
- Identity Management Experts’ Commentary on the Pixlr Data Exposure - January 21, 2021
- User and Non-User Identities in Your Network: Securing Both is the Key - January 19, 2021
- Solutions Review Releases 2021 Buyer’s Guide for Biometric Authentication - January 13, 2021